Snort mailing list archives

Re: [SPAM] FN on community very old sid 1253 rev 21?

From: Patrick Mullen <pmullen () sourcefire com>
Date: Tue, 23 Apr 2013 11:37:51 -0400

Thanks for the info.  Looking at the rule and the exploit description,
I believe the flow is backward and I'm changing it to to_server.


Thanks,

~Patrick

On Mon, Apr 22, 2013 at 5:10 PM, rmkml <rmkml () yahoo fr> wrote:

Hi,

Can you check flow side on this very old rule cause FN please? (this rule
are not enabled by default)

  alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET bsd exploit client finishing"; 
flow:to_client,established; dsize:>200;
content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; metadata:ruleset community, service telnet; 
reference:bugtraq,3064;
reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:21;)

Regards
Rmkml

http://twitter.com/rmkml

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!




-- 
Patrick Mullen
Response Research Manager
Sourcefire VRT

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

[SPAM] FN on community very old sid 1253 rev 21? rmkml (Apr 22)
- Re: [SPAM] FN on community very old sid 1253 rev 21? Patrick Mullen (Apr 23)